On 22 March 2012 17:02, Marsh Ray <marsh@extendedsubset.com> wrote:
On 03/22/2012 09:57 AM, Peter Maxwell wrote:
From
http://blogs.computerworld.com/19917/shocker_nsa_chief_denies_total_informat...
"Remember," former intelligence official Binney stated, "a lot of
foreign government stuff we've never been able to break is 128 or less. Break all that and you'll find out a lot more of what you didn't know-stuff we've already stored-so there's an enormous amount of information still in there."
In other words, they've accumulated a backlog of ciphertext. Encryption working as designed.
Depends on what you mean by "as designed" really. Personally, I'd presume as designed is to slow down or hinder an adversary, which would probably fit in this scenario.
Binney added the NSA is "on the verge of breaking a key encryption
algorithm."
This sounds like budget boondoggle baloney to me.
How can you be "on the verge" of something like that?
You might have some ideas on how to attack it, but until they're proven they're just guesses and likely to be dead ends. Not something you should justify reworking your computing systems around.
But once they're proven, you're not "on the verge".
Meh, strictly speaking, yes, but if we're talking in practical terms it may be the case that they've figured out how to break some cryptographic primitive in significantly less time than the original design specifications but it would still take more computing oomph than they currently have. Fairly sure there was similar considerations about 64-bit RC5 in the late 90s - people knew it could be cracked by brute force, but took a distributed effort to prove as much (may have details slightly wrong as was long time ago and I can't be bothered looking it up). The scenario is not particularly likely though.
That sounds far more plausible than the previous explanations. I'd
also suspect the "key encryption algorithm" may be RC4 and not AES at the moment.
Or it could just be all the 40- and 56- bit stuff that was captured by wiretapping Americans and not decrypted way back when the NSA felt constrained by laws.
Hehe... "NSA constrained by laws", erm, yeah, I suppose there's a first for everything ;-)
Or it could be everything using 512-bit RSA key exchange.
Or it could be everything for which the security of the encryption ultimately depends on a user-chosen password. E.g., MS-PPTP/MPPE (but there's nothing really new about this).
Or it could be a common protocol using a cipher weakly. For example, I noticed this the other day about RDP "standard, non-FIPS" mode: http://msdn.microsoft.com/en-us/library/cc240771%28v=prot.10%29.aspx If the endpoints do actually manage to negotiate the use of 128 bit (as opposed to 40 or 56 bit) security, it uses the output of RC4 without discarding any initial bytes. Those initial bytes have some correlations, some of which can expose the whole key. Just to make sure the 1684 bit state size of RC4 doesn't get stale, the protocol refreshes the key every 4096 packets. (Actually better than MPPE which seems to rekey every 1 or 256 packets depending on negotiated options).
Or it could be complete BS.
In reality, they've probably got a lot of uses for more computing power and the chances of us ever finding out in our lifetime are slim. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE